CVE-2026-58618 is a high-severity Microsoft Excel vulnerability that can let an attacker run code after a user opens or otherwise processes a malicious file locally. Despite Microsoft calling it a “Remote Code Execution Vulnerability,” its CVSS 3.1 vector begins with AV:L, meaning exploitation does not occur directly across a network.
That apparent contradiction is intentional. As Microsoft explains in its Security Update Guide, remote code execution describes where the attacker may be located and the eventual impact, while the CVSS attack-vector metric describes where the vulnerable component must process the exploit. A remote attacker can send the weaponized workbook, but Excel must open or process it on the target device.
Published as part of Microsoft’s July 14, 2026 security updates, CVE-2026-58618 carries a CVSS 3.1 base score of 7.8 and an Important severity rating. Microsoft and the National Vulnerability Database describe the underlying weakness as a heap-based buffer overflow, tracked as CWE-122.
The easiest way to understand the classification is to separate the delivery mechanism from the execution mechanism.
An attacker could create a malicious Excel document and deliver it remotely through email, Microsoft Teams, cloud storage, a compromised website, or another file-sharing channel. The attacker does not need physical access to the target computer and does not necessarily need an existing account on it.
However, merely placing that file in an inbox or download folder is not enough to exploit CVE-2026-58618. The malicious content must reach a vulnerable copy of Excel and be processed on the local system. Microsoft’s CVSS vector confirms that user interaction is required:
The important fields are AV:L and UI:R:
This pattern is common enough that arbitrary code execution, or ACE, is often a more intuitively precise description. Microsoft nevertheless uses RCE broadly for vulnerabilities that can allow attacker-controlled code to run when malicious content supplied by a remote party is opened.
For CVE-2026-58618, the vulnerable operation happens inside Excel’s local process. Microsoft describes a heap-based buffer overflow, which means specially constructed input can cause Excel to write data beyond an allocated region of heap memory. Under exploitable conditions, memory corruption of that kind can redirect execution to attacker-controlled instructions.
The likely attack chain is therefore straightforward:
This distinction matters when comparing CVE-2026-58618 with an AV:N vulnerability. A network-vector flaw can generally be triggered by sending traffic to a reachable service or application interface without first arranging local file processing. CVE-2026-58618 instead depends on malicious content reaching Excel and on required user interaction, so AV:N would overstate its network reachability.
The Local designation should not be read as meaning that an attacker must already have logged on to Windows. The PR:N field specifically indicates that prior access or privileges are not required. In document-based attacks, “local” frequently describes the application boundary rather than the attacker’s starting position.
Successful exploitation could potentially allow malicious code to access data available to the user, alter files or settings, install additional payloads, or disrupt the system. The code would ordinarily run with the privileges of the account operating Excel, so standard-user accounts provide more containment than local administrator accounts.
That privilege boundary is particularly important in enterprise deployments. If users routinely work with administrative rights, successful exploitation may give malware considerably more control over the workstation. With standard accounts, an attacker may need a separate privilege-escalation vulnerability to obtain system-level access, but could still steal documents, browser data, authentication material, and other information accessible to the user.
Microsoft’s published record does not characterize CVE-2026-58618 as a remotely exploitable, no-click network flaw. It is better understood as a remote attacker, local trigger vulnerability: the adversary can originate outside the organization, but exploitation occurs when a victim’s local Excel process handles the malicious input.
At publication, CISA’s supplemental assessment recorded no known exploitation and classified the flaw as not readily automatable. That does not make malicious documents harmless; it indicates there was no confirmed exploitation in the available record when the CVE was published on July 14, 2026.
For products with explicit fixed build thresholds, Microsoft’s CVE data identifies:
Office Online Server also deserves separate attention because it is serviced independently from desktop Microsoft 365 Apps. Microsoft’s July release associates the server-side fixes with KB5002884 and KB5002886, depending on the installed component and update path.
Organizations using Office LTSC or MSI-based Office releases should check the exact installed build and applicable update rather than relying on a Microsoft 365 compliance view. Mixed estates frequently contain older perpetual Office installations that are not governed by the same deployment rings as Click-to-Run clients.
None should substitute for installing Microsoft’s update. Memory-corruption vulnerabilities can be adapted to different delivery methods, and users may receive files through channels that bypass the organization’s primary email gateway.
The practical lesson from CVE-2026-58618 is that AV:L does not mean locally authored or locally initiated by the attacker. It means the exploit must be processed through a local attack surface. Microsoft’s RCE title describes the attacker-controlled code execution outcome and the possibility of remote delivery; the CVSS vector describes the final technical step required to reach it.
For administrators, the distinction changes how the risk should be modeled, but not the immediate response: update affected Excel, Office for Mac, and Office Online Server installations, then confirm that July 14, 2026 builds have actually reached every managed device.
That apparent contradiction is intentional. As Microsoft explains in its Security Update Guide, remote code execution describes where the attacker may be located and the eventual impact, while the CVSS attack-vector metric describes where the vulnerable component must process the exploit. A remote attacker can send the weaponized workbook, but Excel must open or process it on the target device.
Published as part of Microsoft’s July 14, 2026 security updates, CVE-2026-58618 carries a CVSS 3.1 base score of 7.8 and an Important severity rating. Microsoft and the National Vulnerability Database describe the underlying weakness as a heap-based buffer overflow, tracked as CWE-122.
Remote Delivery Does Not Mean Network Exploitation
The easiest way to understand the classification is to separate the delivery mechanism from the execution mechanism.An attacker could create a malicious Excel document and deliver it remotely through email, Microsoft Teams, cloud storage, a compromised website, or another file-sharing channel. The attacker does not need physical access to the target computer and does not necessarily need an existing account on it.
However, merely placing that file in an inbox or download folder is not enough to exploit CVE-2026-58618. The malicious content must reach a vulnerable copy of Excel and be processed on the local system. Microsoft’s CVSS vector confirms that user interaction is required:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HThe important fields are AV:L and UI:R:
- AV:L means the vulnerable component is attacked through a local interface or requires local processing.
- UI:R means someone other than the attacker must perform an action, such as opening a malicious workbook.
- PR:N means the attacker does not need prior privileges on the target system.
- AC:L means Microsoft considers the attack complexity low once the malicious file reaches the vulnerable application.
This pattern is common enough that arbitrary code execution, or ACE, is often a more intuitively precise description. Microsoft nevertheless uses RCE broadly for vulnerabilities that can allow attacker-controlled code to run when malicious content supplied by a remote party is opened.
The CVSS Vector Measures the Last Mile
CVSS Attack Vector is narrowly defined. It measures the proximity required to reach and exploit the vulnerable component, not the geographical location of the person who created or distributed the payload.For CVE-2026-58618, the vulnerable operation happens inside Excel’s local process. Microsoft describes a heap-based buffer overflow, which means specially constructed input can cause Excel to write data beyond an allocated region of heap memory. Under exploitable conditions, memory corruption of that kind can redirect execution to attacker-controlled instructions.
The likely attack chain is therefore straightforward:
- An attacker constructs a workbook or other Excel-compatible file containing malformed data.
- The file is delivered to the target through a remote channel.
- A user opens or processes it with an affected Excel installation.
- Excel encounters the malformed content and triggers memory corruption.
- Successful exploitation runs code within the affected user’s security context.
This distinction matters when comparing CVE-2026-58618 with an AV:N vulnerability. A network-vector flaw can generally be triggered by sending traffic to a reachable service or application interface without first arranging local file processing. CVE-2026-58618 instead depends on malicious content reaching Excel and on required user interaction, so AV:N would overstate its network reachability.
The Local designation should not be read as meaning that an attacker must already have logged on to Windows. The PR:N field specifically indicates that prior access or privileges are not required. In document-based attacks, “local” frequently describes the application boundary rather than the attacker’s starting position.
A Successful Exploit Carries Full Impact
The remaining CVSS fields explain why the vulnerability still receives a 7.8 High score despite requiring user interaction. Microsoft assigns high impact to confidentiality, integrity, and availability, represented by C:H, I:H, and A:H.Successful exploitation could potentially allow malicious code to access data available to the user, alter files or settings, install additional payloads, or disrupt the system. The code would ordinarily run with the privileges of the account operating Excel, so standard-user accounts provide more containment than local administrator accounts.
That privilege boundary is particularly important in enterprise deployments. If users routinely work with administrative rights, successful exploitation may give malware considerably more control over the workstation. With standard accounts, an attacker may need a separate privilege-escalation vulnerability to obtain system-level access, but could still steal documents, browser data, authentication material, and other information accessible to the user.
Microsoft’s published record does not characterize CVE-2026-58618 as a remotely exploitable, no-click network flaw. It is better understood as a remote attacker, local trigger vulnerability: the adversary can originate outside the organization, but exploitation occurs when a victim’s local Excel process handles the malicious input.
At publication, CISA’s supplemental assessment recorded no known exploitation and classified the flaw as not readily automatable. That does not make malicious documents harmless; it indicates there was no confirmed exploitation in the available record when the CVE was published on July 14, 2026.
The Affected Footprint Extends Beyond One Excel Release
Microsoft’s CVE data lists a broad Office footprint spanning Windows and macOS. Affected products include Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021, Office LTSC 2024, Microsoft 365 and LTSC Office editions for Mac, and Office Online Server.For products with explicit fixed build thresholds, Microsoft’s CVE data identifies:
- Excel 2016 builds earlier than 16.0.5561.1001 as affected.
- Office for Mac builds earlier than 16.111.26071215 as affected.
- Office Online Server builds earlier than 16.0.10417.20175 as affected.
Office Online Server also deserves separate attention because it is serviced independently from desktop Microsoft 365 Apps. Microsoft’s July release associates the server-side fixes with KB5002884 and KB5002886, depending on the installed component and update path.
Organizations using Office LTSC or MSI-based Office releases should check the exact installed build and applicable update rather than relying on a Microsoft 365 compliance view. Mixed estates frequently contain older perpetual Office installations that are not governed by the same deployment rings as Click-to-Run clients.
Treat the Workbook as the Entry Point
Endpoint controls can reduce exposure while July’s Office fixes move through deployment rings. Email filtering, attachment sandboxing, Mark of the Web handling, Protected View, Microsoft Defender Attack Surface Reduction rules, and restrictions on untrusted Office content all add friction to malicious-document campaigns.None should substitute for installing Microsoft’s update. Memory-corruption vulnerabilities can be adapted to different delivery methods, and users may receive files through channels that bypass the organization’s primary email gateway.
The practical lesson from CVE-2026-58618 is that AV:L does not mean locally authored or locally initiated by the attacker. It means the exploit must be processed through a local attack surface. Microsoft’s RCE title describes the attacker-controlled code execution outcome and the possibility of remote delivery; the CVSS vector describes the final technical step required to reach it.
For administrators, the distinction changes how the risk should be modeled, but not the immediate response: update affected Excel, Office for Mac, and Office Online Server installations, then confirm that July 14, 2026 builds have actually reached every managed device.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: techradar.com
An ancient Microsoft Excel security flaw could let hackers hijack your entire system, so patch now | TechRadar
CISA is warning about ongoing exploitation of a 2008 bugwww.techradar.com